PT-2026-40822 · Frappe · Erpnext
Ilyass-Armadin
·
Published
2026-05-13
·
Updated
2026-05-14
·
CVE-2026-44445
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
ERPNext versions prior to 15.104.3
ERPNext versions prior to 16.12.0
Description
An improper restriction of XML external entity (XXE) reference in the EDI Module allows an authenticated attacker to read files from the local file system, including sensitive configuration files. XXE is a type of attack that occurs when an XML parser improperly processes external entity references within an XML document.
Recommendations
Update to version 15.104.3.
Update to version 16.12.0.
Fix
XXE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Erpnext